I have a regular expression that extract everything that exist between brackets
Extraction:
(?i) .*? (?P<METHOD>\-\s+\[\w+.*.\])\s+\w+
I'm receiving the following Warning
Field extractor name=EXTRACT-METHOD is unusually slow (max single event time=1081ms, probes=5 warning max=1000ms)
That regex does look a bit odd to me. If you have an event like:
blah blah [yohoo_123] blah blah
and just want to extract yohoo_123
your regex should probably look more like;
...| rex "\[(?<METHOD>[^\]]+)\]
"
i.e. after the opening square bracket, grab everything that is NOT a closing square bracket, followed by a closing square bracket.
/K
That regex does look a bit odd to me. If you have an event like:
blah blah [yohoo_123] blah blah
and just want to extract yohoo_123
your regex should probably look more like;
...| rex "\[(?<METHOD>[^\]]+)\]
"
i.e. after the opening square bracket, grab everything that is NOT a closing square bracket, followed by a closing square bracket.
/K
Should work.
props.conf
[your_sourcetype]
EXTRACT-blah = \s\[(?<METHOD>[^\]]+)\]\s
/k
I need that METHOD field will be persistent
How to put that in props.conf
perfect dude:)